Category Archives: DDoS Criminals

DDoS extortion attacks on the rise

While digital ransom attacks come in various types and forms, Distributed Denial of Service (DDoS) attacks are top of the list of methods used by attackers to force money from targeted companies. So says Bryan Hamman, territory manager of Arbor Networks, who points out that in recent weeks, well-known names such as Evernote and Feedly have fallen victim to extortion attacks, but these companies are just the tip of the iceberg when it comes to this very lucrative criminal activity. InfoSecurity Magazine reports that this year the number of network time protocol amplification attacks increased 371.43%. The average peak DDoS attack volume increased a staggering 807.48%. The news aggregator Feedly said it had come under a DDoS attack from cyber criminals, which was preventing users from accessing its service. “Criminals are attacking Feedly with a distributed denial of service attack. The attacker is trying to extort money from us to make it stop. We refused to give in and are working with our network providers to mitigate the attack as best as we can,” said Feedly in a blog post. “‘Pay up or we’ll take your Web site down’, so goes the adage that usually accompanies ransom-based cyber-attacks,” says Hamman. According to Arbor’s ninth annual Worldwide Infrastructure Security Report, DDoS extortion attacks account for 15% of all DDoS attacks. While it may seem like a relatively small percentage, one must consider that as many as 10 000 DDoS attacks occur world-wide every day and the potential cost in damages and reputation can have a significant impact on a targeted organisation, Hamman points out. He explains that DDoS extortion attacks are generally volumetric, high bandwidth attacks launched with the aim of crashing a company’s Web site or server by bombarding it with packets, which originate from a large number of geographically distributed bots. The size of volumetric DDoS attacks continues to increase year on year, and they remain a major threat to enterprises and Internet service providers alike, he adds. “Traditionally, DDoS extortion attacks were used against online gambling sites, around major sporting events. Criminal gangs would initiate attacks that would bring the Web site down just before the event was to start, thus forcing the companies to choose between suffering a major loss in monetary and reputational terms or paying up. Increasingly, however, DDoS attacks are being used to extort money from all sorts of businesses and the reality is that no company should feel safe,” he says. So what is the right response when it comes to extortion demands? Hamman asks. “The answer is simple and always the same – not to give in. Organisations should under no circumstances agree to pay the ransom – it can set a dangerous precedent and encourage more attacks in the future; while it might make the pain go away in the short term, the long-term results are generally not worth it. “Declining to pay comes, of course, with severe consequences – as we saw from recent attacks on Feedly, who suffered from three separate waves of DDoS attacks. However, the company has now recovered from the attack and is operating as normal. Furthermore, it has been praised for its brave decision by the security community and even its own customers,” says Hamman. According to Hamman, many companies still rely on reactive measures such as router filters and firewalls, which are inefficient and not sophisticated enough to protect against organised cyber crime. Instead, he says, organisations need to invest in preventive, multi-layered mitigation, which includes on-premise and cloud protection, as well as allowing for co-operation with their ISP or hosting company. In addition, putting a mitigation strategy in place, should the worst happen, is of crucial importance – especially as only 17% of organisations globally feel they are fully prepared for a security incident. “By building defences, implementing plans ahead of time and refusing to give in, businesses needn’t feel threatened anymore – attackers wanting to make easy money will have to look elsewhere.” Source: http://www.itweb.co.za/index.php?option=com_content&view=article&id=136989:DDoS-extortion-attacks-on-the-rise&catid=265

See the original article here:
DDoS extortion attacks on the rise

Popcorn Time Hit By Massive DDoS Attack

A major fork of the popular Popcorn Time project is currently being subjected to a massive DDoS attack. The whole project has been hit, from the site hosting its source through to its CDN, API and DNS servers. The team tells TorrentFreak that the attack amounts to 10Gbps across their entire network. Every year sees periods when sites in the file-sharing sector are subjected to denial of service attacks. The attackers and their motives are often unknown and eventually the assaults pass away. Early in 2014 many torrent sites were hit, pushing some offline and forcing others to invest in mitigation technology. In May a torrent related host suffered similar problems. Today it’s the turn of the main open source Popcorn Time fork to face the wrath of attackers unknown. TorrentFreak spoke with members of the project including Ops manager XeonCore who told us that the attack is massive. “We are currently mitigating a large scale DDoS attack across our entire network. We are currently rerouting all traffic via some of our high bandwidth nodes and are working on imaging and getting our remaining servers back online to help deal with the load,” the team explain. The attack is project-wide with huge amounts of traffic hitting all parts of the network, starting with the site hosting the Popcorn Time source code. Attack on the source code site – 980Mbps Also under attack is the project’s CDN and API. The graph below shows one of the project’s servers located in France. The green shows the normal traffic from the API server, the blue represents the attack. Attack on the France API server – 931Mbps Not even the project’s DNS servers have remained untouched. At one point two of three DNS servers went down, with a third straining under almost 1Gbps of traffic. To be sure, a fourth DNS server was added to assist with the load. Attack on the Dutch DNS server – peaking at 880Mbps All told the whole network is being hit with almost 10Gbps of traffic, but the team is working hard to keep things operational. “We’ve added additional capacity. Our DNS servers are currently back up and running but there is still severe congestion around Europe and America. Almost 10Gbps across the entire network. Still working on mitigating. API is still online for most users!” they conclude. Nobody has yet claimed responsibility for the attack and it’s certainly possible things will remain that way. Only time will tell when the attack will subside, but the team are determined to keep their project online in the meantime. Source: http://torrentfreak.com/popcorn-time-hit-by-massive-ddos-attack-140814/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Torrentfreak+%28Torrentfreak%29

Read More:
Popcorn Time Hit By Massive DDoS Attack

DOSarrest Adds New DDoS Protection Node in Singapore

DOSarrest Internet Security announced today that they have expanded their DDoS protection cloud into Asia, with a new DDoS mitigation node in Singapore. The new node will work in conjunction with their existing nodes in New York, Los Angeles and London and will have the same connectivity as the others, including multiple 10 Gb/Sec uplinks to multiple carriers. Jag Bains, CTO at DOSarrest states “Having a presence in Asia allows our existing client base to cache and serve traffic closer to Asian visitors for increased performance as well as enabling us to provide excellent web performance and DDoS protection to customer’s servers located in Asia.” Bains adds “The system is incredibly scalable; this also allows us to offer a higher level of protection to all customers due to the added firepower of a new node in the region. Also the additional nodes will allow us to introduce new features and services in the coming month.” Mark Teolis, GM at DOSarrest says “We have a number of initiatives underway in the region and this will help cement these opportunities” Source: http://www.marketwired.com/press-release/dosarrest-adds-new-ddos-protection-node-in-singapore-1937355.htm

See more here:
DOSarrest Adds New DDoS Protection Node in Singapore

Israel-Hamas conflict sparks surge in DDoS attacks

As conflict between Israel and the Palestinian militant Islamist organisation Hamas escalates, new research has revealed the impact politics has had on cyberattack trends. Tension between countries and changing political landscapes can now often be linked to cybercrime campaigns worldwide. From constant spats between the US and China to increased targeting of Syrian and Thai targets during political unrest, digital weaponry is now a key tool for groups to broadcast their own political messages, spy on governmental agencies and steal valuable data. In a new report released by Arbor Networks, anonymized traffic and DDoS attack data from over 290 ISPs that have deployed Arbor’s Peakflow SP product — collated and analyzed as part of Arbor’s ATLAS initiative — it appears that DDoS attacks are rising in number and volume as a result of the Israel-Hamas conflict. The graph below depicts the number of reported DDoS attacks initiated against Israel daily over the 1 June to 3 August period this year: Distributed Denial of Service (DDoS) attacks are used to flood a website or service with traffic to the point systems cannot cope, denying other users access to the website. Arbor detected a rise in the number of DDoS attacks targeting Israel in the first week of July, going from an average of 30 attacks per day to an average of 150 attacks initiated per day in July — peaking at 429 attacks on July 21st. Linking these cyberattacks to political situations, 30 June is when Israel publicly attributed the deaths of three kidnapped Israeli teenagers to Hamas, and on 7 July, “Operation Protective Edge” was launched by the country. As the political conflict raged on, so did the frequency of DDoS attacks until a drop occurred on 28 July lasting through 2 August. Arbor says the drop in attacks roughly correlates with cease fire talks which began 27 July. From 28 July through 2 August, there were 192 attacks recorded in total. On 3 August, the number of DDoS attacks rose sharply, with 268 attacks in total. In addition to the number of DDoS attacks over these time periods, the security researchers also noticed an increase in the peak size of these attacks. In the graph below, we can see that in June, no attacks exceeded 12Gbps. In July, seven DDoS attacks exceeded this size, with the largest peaking at 22.56Gbps on 12 July. When cease-fire talks fell apart on 3 August, the largest DDoS attack was recorded at a size of 29Gbps. The duration of DDoS attacks has also increased. In June, the average duration was 20 minutes — with a peak duration of 24 hours — and in July, the average duration was 1 hour 39 minutes. “As the intensity of the Israeli-Hamas conflict has increased, so has the number, size and duration of the DDoS attacks targeting Israel,” the researchers say. “Additionally, it even appears as if the attackers have made an effort to adhere to the “real world” calls for a cease-fire, resuming their attacks when the cease fire fell through.” Source: http://www.zdnet.com/israel-hamas-conflict-sparks-surge-in-ddos-attacks-7000032375/#ftag=RSS14dc6a9

Original post:
Israel-Hamas conflict sparks surge in DDoS attacks

DDoS attack volumes plummet as NTP servers got patched

Wise to attackers’ exploitation of the Network Time Protocol (NTP) vulnerability to create distributed reflection denial of service (DrDoS) attacks, information security executives thwarted these type…

More here:
DDoS attack volumes plummet as NTP servers got patched

RIA Novosti Website Hit by DDoS Attack

RIA Novosti’s website has fallen foul of a distributed denial-of-service (DDoS) attack by hackers, the agency’s IT specialists reported on Sunday. The mobile version of the website is currently inaccessible. Problems with the website’s full version were also reported for a short period of time. The agency’s terminal for clients has not been hampered. Unidentified hackers first attacked the website of InoSMI. When the attack was neutralized, they attempted to disrupt the work of RIA Novosti’s website. IT specialists are now working to eliminate the disruption that has caused by the attack. This is not the first cyber attack on the news agency. In May 2012, the RIA Novosti website was hit by a DDoS attack from some 2,500 IP-addresses. Another DDoS attack on the agency’s website was carried out in July 2013. Source: http://en.ria.ru/russia/20140803/191676816/RIA-Novosti-Website-Hit-by-Cyber-Attack.html

View the original here:
RIA Novosti Website Hit by DDoS Attack

Amazon cloud infested with DDoS botnets

Security researchers have found yet another exploit on the Amazon cloud computing platform through the Elasticsearch distributed search engine tool. According to analysis, hackers are able to gain access to the search engine to deploy a battalion of botnets on Amazon cloud. The vulnerability should be a cause of alarm and, therefore, merits the attention of enterprises because it could manipulate Amazon cloud platforms in an attempt to launch distributed denial of service attacks against hundreds of thousands of websites. Amazon cloud users can a representational state transfer API to search various documents through Elasticsearch, an open-source search engine server built based on Java. It is more popular among cloud environments for its distributed architecture that enables multiple nodes. Researchers found security issues on the versions 1.1.x of Elasticsearch because its API scripting lacks a mechanism to authenticate access and a sandbox security infrastructure. Therefore, anyone, including hackers, can penetrate Elasticsearch just so easy. After that, attackers could carry out several malicious activities using Elasticsearch’s scripting capability such as carrying out arbitrary code on the server. As of now there is no patch coming from the developers of Elasticsearch. Nonetheless, versions 1.2.0 and up are safe from being exploited by hackers. New offshoots of Mayday Trojan for Linux has been spotted over the past week and the malware already launched DDoS attacks against targets DNS amplification. A Mayday variant was reported to be running on an Amazon server that has been compromised through the Elasticsearch exploit, though there are other platforms that could have been potentially manipulated. However, the Mayday variant did not resort to DNS amplification on the compromised EC2 instances. Instead it was used to launch attacks by flooding several websites with UDP traffic. As a result, many regional banking institutions in the United States and electronics companies in Japan had to transfer their IP addresses to DDoS mitigation service vendors. The Amazon EC2-run virtual machines were also reported to have been attacked by hackers through a CVE-2014-3120 exploit in the 1.1.x versions of Elasticsearch. Researchers observed that many commercial enterprises still use those versions. According also to security researchers, attackers have changed proof-of-concept exploit code for CVE-2014-3120 to install a Web shell developed based on Perl. A Web shell is a script that enables hackers to deploy Linux shell commands backdoor through the Web. The script was then further manipulated to download a fresh variant of the Mayday DDoS botnet. Amazon has already notified its customers about the issue. Source: http://www.techwalls.com/amazon-cloud-infested-ddos-botnets/

See more here:
Amazon cloud infested with DDoS botnets

“Chinese YouTube” Used as DDoS attack Machine

Even the biggest websites in the world are vulnerable to DDoS. Want proof? Well, all throughout this past April, a hacker took advantage of a hole in Sohu.com’s security to launch Persistent Cross-Site Swapping (XSS) attacks against various targets across the globe. Sohu.com, in case you don’t know, is one of the largest websites in the world – in fact 24th largest, according to Alexa Top 100 Ranking. But, for all its size and multi-billion dollar net worth, Sohu could be exploited by hackers who managed to convert its popularity into a massive Persistent XSS enabled DDoS attack. Devastating New DDoS Attack Method At its basis, Persistent XSS is a crafty type of malicious code injection. This injection method involves convincing a server to save data from an outside source (the hacker) and then refresh the data every time a new browser accesses the page. In this attack, the hacker saved to Sohu’s server a JS script that runs a DDoS tool. To do this, he placed a malicious JS script within the avatar image of a fabricated user profile. As with most video sites, this infected user picture would then show up next to any comments wrote by this profile, on Sohu’s video pages. The hacker was smart enough to write a JS script that would hijack every new browser that accessed a video page with the infected comment, forcing it to run a sent DDoS to the target site. The hacker programmed the script to send GET requests to the target once a second. Imagine; thousands of users watching a video on Sohu sending malicious GET requests every second. These bad requests add up quickly, quickly growing to millions every minute. Interestingly enough, the hacker also had the brains to put his infected comment on the most popular and longest playing videos, so the viewers would rack up DDoS requests even faster. This large security event goes to show that even powerful websites can be manipulated by hackers. Where Will the Next Attack Come From? It’s difficult to say. This case study shows that hackers will use whatever means necessary to take down their targets. Without 3rd party protection services, most websites can only defend what they’ve seen already–they can only react after they have been hit. In this instance, the hacker was clever enough to fly under the radar and avoid detection by Sohu’s watchful IT team. If the hacker had chosen a target without a DDoS protection service, Sohu might still be a giant DDoS machine causing havoc on innocent websites. Source: http://www.economicvoice.com/chinese-youtube-used-as-ddos-machine/  

Continue Reading:
“Chinese YouTube” Used as DDoS attack Machine